What the New DOJ Cryptocurrency Enforcement Team Means for Crypto Exchanges and Other Entities That Facilitate Digital Asset Transactions
The Department of Justice has touted its success prosecuting crypto-related misconduct for years. It has indicted individuals for deploying digital ransomware; shut down child pornography websites that relied on virtual currency accounts; and dismantled terrorist financing campaigns fueled by cryptocurrency donations. The government has also publicized its recent success seizing billions of dollars’ worth of cryptocurrency traced to illegal activity on the dark web, including to ransomware payments. DOJ’s principal focus has been on the criminal actors themselves, and not necessarily on the companies that facilitate illegal digital asset transactions. That is now likely to change.
On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET), a group comprised of federal prosecutors from the Money Laundering Asset Recovery Section (MLARS), the Computer Crime and Intellectual Property Section (CCIPS), and other Assistant U.S. Attorneys detailed from U.S. Attorneys’ offices around the country. NCET is poised to “investigate, support, and pursue cases against cryptocurrency exchanges, infrastructure providers, and other entities that are enabling the misuse of cryptocurrency and related products to commit or facilitate criminal activity.” This announcement represents a marked shift in focus from the criminal actors themselves to the companies that, in the government’s view, provide the services and technology in the crypto space to make the crimes possible.
NCET is likely to bring criminal actions in a number of areas including: (1) Anti-money laundering (AML) compliance; (2) Sanctions compliance; and (3) Fraud related to decentralized finance (De-Fi) activity. Recent DOJ prosecutions and regulatory enforcement actions provide insight into what crypto-exchanges, infrastructure providers, and other crypto businesses can expect.
AML Compliance
To deter money laundering involving cryptocurrency, the government has prosecuted online marketplaces and exchanges that fail to comply with their obligations under the Bank Secrecy Act (BSA). In the United States, entities that offer money transmitting services involving virtual assets, such as cryptocurrency exchanges and kiosks, are considered money services business (MSBs) under the BSA. MSBs are required to register with the Financial Crimes Enforcement Network (FinCEN), and must maintain AML policies and procedures including know your customer (KYC) requirements.
The DOJ has already prosecuted several exchanges and other online marketplaces for failing to comply with the BSA. For example, in 2017, prosecutors indicted the virtual currency exchange BTC-e and one of its principal operators for operating as an unlicensed MSB and failing to implement AML processes such as requiring users to validate their identities. More recently in 2020, the operator of Herocoin pled guilty to running an illegal virtual-currency MSB that allowed customers to exchange cash for bitcoin and vice versa. In his plea agreement, the operator admitted to failing to register Herocoin with FinCEN, as well as failing to (1) conduct due diligence on customers, (2) file transaction reports for exchanges more than $10,000, and (3) file suspicious activity reports (SARs).
Going forward, NCET will likely work with FinCEN to investigate and prosecute exchanges and service providers that the government believes qualify as MSBs. It is critical that entities operating in this space (including entities located outside the United States) receive guidance regarding whether they qualify as MSBs or virtual asset service providers (VASPs) under the framework and guidelines established by FinCEN. All MSBs, including VASPs when applicable, must be sure they are complying with their obligations under the BSA. This includes establishing an AML program reasonably designed to prevent money laundering and terrorist financing; meeting certain record-keeping requirements; and filing currency transaction reports and SARs.
Sanctions Compliance
According to the DOJ, cryptocurrency’s decentralized and peer-to-peer format allows sanctioned entities to continue to access the financial markets in violation of U.S. foreign policy and national security interests. The U.S. sanctions regime imposes strict liability on anyone or any company which transacts business with anyone or any company in a sanctioned jurisdiction (e.g., Cuba, Crimea, North Korea), or that appears on the specially designated nationals (SDN) list. In the cryptocurrency space, this means that any company operating in the United States, whether or not it qualifies as an MSB, must ensure it is not facilitating transactions from blocked jurisdictions, individuals, or cryptocurrency addresses.
Twice this year, the Office of Foreign Assets Control of the U.S. Department of the Treasury (OFAC) has listed virtual currency exchanges on the SDN list. First, in September 2021, OFAC listed SUEX, a virtual currency exchange, on the SDN list because it facilitated financial transactions for ransomware actors. According to OFAC’s press release, an analysis showed that over 40% of SUEX’s known transaction history was associated with illicit actors. On Nov. 10, 2021, OFAC added Chatex and several affiliates to the SDN list, noting the close ties to SUEX. OFAC’s announcement noted that over half of Chatex’s known transactions were directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware.
On Oct. 1, 2020, the government brought criminal charges against the founders and executives of BitMEX, a convertible virtual currency derivatives exchange incorporated outside of the United States. The criminal charges focused on BitMEX’s failure to comply with the BSA; however, FinCEN brought a parallel enforcement action alleging that BitMEX conducted no sanctions screening on its customers, and failed to mitigate the risk that their customers were located in U.S. or U.N. sanctioned countries. In a separate enforcement action brought on December 30, 2020, OFAC entered into a settlement with BitGo, Inc., an unhosted wallet service, for allowing customers from sanctioned jurisdictions to open accounts. According to OFAC, BitGo was tracking its users’ IP addresses for security purposes related to account logins but failed to check whether the IP addresses were from sanctioned jurisdictions.
OFAC will certainly continue to seek civil penalties from exchanges and infrastructure providers who do not screen their customers or transactions against the SDN list. Although the DOJ has historically left sanctions enforcement to civil regulators, there is no doubt that NCET would criminally prosecute individuals or entities for providing material support to terrorists, or for facilitating other crimes implicating U.S. national security. On Oct. 15, 2021, OFAC issued a compliance guide setting forth sanctions compliance best practices for the virtual currency industry. Even entities that are not subject to the more rigorous AML/KYC requirements under the BSA must implement sanctions compliance. OFAC recommends, among other things, incorporating geolocation tools and IP address blocking controls to ensure that companies are not doing business with or facilitating transactions from sanctioned jurisdictions. Companies must also screen customer information and transaction information (such as cryptocurrency addresses) against the SDN list.
Fraud Related to De-Fi Activity
Decentralized finance, or De-Fi, represents the catchall term for financial services (such as lending and trading) that use digital assets and operate on an open-source financial network outside of regulatory oversight. Many of the products offered on De-Fi platforms qualify as securities or derivatives, triggering the jurisdiction of the SEC and the CFTC. Failure to register can result in an enforcement action. For example, in October 2020, the CFTC sued the owners of BitMEX for offering leveraged retail commodity transactions, futures, options, and swaps on cryptocurrencies without first registering as a futures commission merchant. More recently, the SEC threatened Coinbase Global, Inc., the largest cryptocurrency exchange platform in the United States, with an enforcement action unless it halted its crypto-lending program of interest-earning cryptocurrency products. Similarly, on Oct. 18, 2021, the New York Attorney General’s office directed two cryptocurrency lending platforms to immediately cease operations for allegedly offering their products to New Yorkers without being registered.
The DOJ has also prosecuted cases in this area. In July 2018, the government charged the operator of two online bitcoin services with securities fraud. WeExchange functioned as a bitcoin depository and currency exchange service, whereas Bitfunder facilitated the purchase and trading of virtual shares of business entities that listed their virtual shares on the BitFunder platform. The operator of both platforms, Jon E. Montroll, pleaded guilty to converting a portion of the customers’ bitcoin to his personal use without the users’ knowledge or consent. He also admitted to failing to disclose a hack of the BitFunder programming code that allowed the hackers to walk away with approximately 6,000 bitcoin.
NCET will likely work together with the SEC and CFTC to monitor the activity of De-Fi platforms to ensure that they are appropriately registered. Companies that operate in this space should seek advice regarding whether their products qualify as securities and/or derivatives under the securities and commodities laws. NCET will likely be looking to investigate and indict De-Fi providers with securities fraud and other criminal statutes if they are suspected of implementing cryptocurrency schemes or making misstatements in order to bilk unsuspecting investors. De-Fi platforms must also be vigilant about having adequate reserves and protecting investors’ digital assets against internal threats and external hacks.
* * *
The DOJ’s announcement of NCET should serve as a wake-up call to crypto exchanges and other entities that facilitate digital transactions. They should be sure to implement appropriate and risk-based AML and sanctions compliance regimes for the size and function of their businesses. Platforms operating in the De-Fi space should check federal and state registration requirements and implement safeguards against fraud and other regulatory risks.
“What the New DOJ Cryptocurrency Enforcement Team Means for Crypto Exchanges and Other Entities That Facilitate Digital Asset Transactions,” by Jennifer L. Achilles and Jed M. Silversmith was published in the New York Law Journal on December 3, 2021.
Reprinted with permission from the December 3, 2021, edition of the New York Law Journal © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.